Russian hackers reportedly breached the electoral systems of at least 39 states during the summer and fall of 2016 accessing software designed to be used by poll workers on Election Day.
The new number is nearly twice the amount of states previously reported. Investigators in Illinois found evidence suggesting the threat actors attempted to delete or alter voter data and at least one state hacker accessed a campaign finance database, three people close to the investigation told Bloomberg.
"The new details, buttressed by a classified National Security Agency document recently disclosed by the Intercept, show the scope of alleged hacking that federal investigators are scrutinising as they look into whether Trump campaign officials may have colluded in the efforts," the publication said.
The information gathered from the Illinois breach sheds light on the tactics, techniques, and procedures behind those who are behind the attacks, Tripwire senior security research engineer Travis Smith told SC Media.
"In this instance, voter data was found in an internal database," Smith said. "The attackers appear to have only gained read-only access to the database based off of a couple of indicators. First, a contractor spotted unauthorised data (up to 90,000 voter records) leaving the network. Second, attackers failed to alter and delete voter records on the database.
The scope of the attacks were so broad that Obama administration took an unprecedented step and complained to Moscow over what was described as a modern-day “red phone.” Administration officials offered detailed documents to the Kremlin accusing Russia of the cyber-attacks and warned that the attacks risked setting off a broader conflict.
"From a technical standpoint - these attacks were based on the targeted employees clicking and opening MS Word documents that have VBScript running," FireMon chief technology officer (CTO) Paul Calatayud told SC Media. "A good practice would be to disable and not trust VBScripting within word which can be done based on policies."
Calatayud said this would have prevented the malware from executive from once employees clicked on the documents to open. He went on to say that organisations supporting the voting processes should be regulated with high security standard and that a minimum set of technologies should be required with audits and assessment performed much like banking and retail industries safe required to demonstrate.
“Local governments are similar to many small business in regards to cyber-security defence maturity,"Calatayud said. "Little awareness and training is often presence. Good risk reduction starts with strong awareness to ensure employees are not clicking on random emails is a good start but can be difficult to monitor and implement."
Experts agreed that officials need to take better efforts to better audit voter system software, Varonis VP of Field Engineering Ken Spinner told SC Media.
"Without a record of who is accessing, changing, or deleting data, it's virtually impossible to detect compromise," Spinner said. "It's not hard to imagine a scenario where voter data has been compromised, but has gone undetected due to lack of auditing or evidence of a breach."
He explained that upcoming data privacy regulations like the General Data Protection Regulation (GDPR) spur organisations to proactively protect critical data by limiting access and taking a privacy-by-design approach. He called these actions a huge step not only in data privacy, but also a method to act as a front line of defence in cyber-attacks.
The new information comes right off the heels of the NSA documents leaked by Reality Winner concerning Russian cyber-attacks on US voting systems.
UPDATE: This story was updated to include comments from Tripwire Senior Security Research Engineer Travis Smith.